diff --git a/config/firewall/ipsec-block b/config/firewall/ipsec-block
new file mode 100644
index 000000000..9fa8e1a46
--- /dev/null
+++ b/config/firewall/ipsec-block
@@ -0,0 +1,59 @@
+#!/bin/bash
+###############################################################################
+#                                                                             #
+# IPFire.org - A linux based firewall                                         #
+# Copyright (C) 2015 IPFire Team                                              #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+#                                                                             #
+###############################################################################
+
+VPN_CONFIG="/var/ipfire/vpn/config"
+
+block_subnet() {
+	local subnet="${1}"
+
+	# Don't block a wildcard subnet
+	if [ "${subnet}" = "0.0.0.0/0" ] || [ "${subnet}" = "0.0.0.0/0.0.0.0" ]; then
+		return 0
+	fi
+
+	iptables -A IPSECBLOCK -d "${subnet}" -j REJECT --reject-with icmp-net-unreachable
+}
+
+block_ipsec() {
+	# Flush all exists rules
+	iptables -F IPSECBLOCK
+
+	local id status name lefthost type ctype unknown1 unknown2 unknown3
+	local leftsubnets unknown4 righthost rightsubnets rest
+	while IFS="," read -r id status name lefthost type ctype unkown1 unknown2 unknown3 \
+			leftsubnets unknown4 righthost rightsubnets rest; do
+		# Check if the connection is enabled
+		[ "${status}" = "on" ] || continue
+
+		# Check if this a net-to-net connection
+		[ "${type}" = "net" ] || continue
+
+		# Split multiple subnets
+		rightsubnets="${rightsubnets//\|/ }"
+
+		local rightsubnet
+		for rightsubnet in ${rightsubnets}; do
+			block_subnet "${rightsubnet}"
+		done
+	done < "${VPN_CONFIG}"
+}
+
+block_ipsec || exit $?
diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2
index 90e28d9c4..4021cafad 100644
--- a/config/rootfiles/common/stage2
+++ b/config/rootfiles/common/stage2
@@ -73,6 +73,7 @@ run
 #usr/lib
 usr/lib/firewall
 usr/lib/firewall/firewall-lib.pl
+usr/lib/firewall/ipsec-block
 usr/lib/firewall/rules.pl
 #usr/lib/libgcc_s.so
 usr/lib/libgcc_s.so.1
diff --git a/config/rootfiles/common/x86_64/stage2 b/config/rootfiles/common/x86_64/stage2
index 0ac9ab55a..531daaadd 100644
--- a/config/rootfiles/common/x86_64/stage2
+++ b/config/rootfiles/common/x86_64/stage2
@@ -74,6 +74,7 @@ run
 #usr/lib
 usr/lib/firewall
 usr/lib/firewall/firewall-lib.pl
+usr/lib/firewall/ipsec-block
 usr/lib/firewall/rules.pl
 #usr/lib/libgcc_s.so
 usr/lib/libgcc_s.so.1
diff --git a/lfs/stage2 b/lfs/stage2
index 3244fa36f..ec5d1170d 100644
--- a/lfs/stage2
+++ b/lfs/stage2
@@ -114,6 +114,8 @@ endif
 		/usr/lib/firewall/rules.pl
 	install -m 644 $(DIR_SRC)/config/firewall/firewall-lib.pl \
 		/usr/lib/firewall/firewall-lib.pl
+	install -m 755 $(DIR_SRC)/config/firewall/ipsec-block \
+		/usr/lib/firewall/ipsec-block
 
 	# Nobody user
 	-mkdir -p /home/nobody
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 8ca02bc9d..2d462d786 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -115,6 +115,11 @@ iptables_init() {
 	iptables -A INPUT -j GUARDIAN
 	iptables -A FORWARD -j GUARDIAN
 
+	# Block non-established IPsec networks
+	iptables -N IPSECBLOCK
+	iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK
+	iptables -A OUTPUT  -m policy --dir out --pol none -j IPSECBLOCK
+
 	# Block OpenVPN transfer networks
 	iptables -N OVPNBLOCK
 	iptables -A INPUT   -i tun+ -j OVPNBLOCK
@@ -270,6 +275,9 @@ iptables_init() {
 	iptables -t nat -N REDNAT
 	iptables -t nat -A POSTROUTING -j REDNAT
 
+	# Populate IPsec block chain
+	/usr/lib/firewall/ipsec-block
+
 	# Apply OpenVPN firewall rules
 	/usr/local/bin/openvpnctrl --firewall-rules
 
diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c
index e99202d9f..7499e94c9 100644
--- a/src/misc-progs/ipsecctrl.c
+++ b/src/misc-progs/ipsecctrl.c
@@ -144,6 +144,9 @@ void turn_connection_on(char *name, char *type) {
                 "/usr/sbin/ipsec down %s >/dev/null", name);
         safe_system(command);
 
+	// Reload the IPsec block chain
+	safe_system("/usr/lib/firewall/ipsec-block >/dev/null");
+
 	// Reload the configuration into the daemon (#10339).
 	ipsec_reload();
 
@@ -302,6 +305,7 @@ int main(int argc, char *argv[]) {
 
         // start the system
         if ((argc == 2) && strcmp(argv[1], "S") == 0) {
+		safe_system("/usr/lib/firewall/ipsec-block >/dev/null");
 		safe_system("/usr/sbin/ipsec restart >/dev/null");
                 exit(0);
         }